- Aug 17, 2014
A variant of a ransomware strain known as DJVU has been observed to be distributed in the form of cracked software.
"While this attack pattern is not new, incidents involving a DJVU variant that appends the .xaro extension to affected files and demanding ransom for a decryptor have been observed infecting systems alongside a host of various commodity loaders and infostealers," Cybereason security researcher Ralph Villanueva said.
A significant aspect of DJVU attacks is the deployment of additional malware, such as information stealers (e.g., RedLine Stealer and Vidar), making them more damaging in nature.
In the latest attack chain documented by Cybereason, Xaro is propagated as an archive file from a dubious source that masquerades as a site offering legitimate freeware.
Opening the archive file leads to the execution of a supposed installer binary for a PDF writing software called CutePDF that, in reality, is a pay-per-install malware downloader service known as PrivateLoader.